/*
 * Digest Authentication Module
 *
 * Copyright (C) 2001-2003 FhG Fokus
 *
 * This file is part of Kamailio, a free SIP server.
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 *
 * Kamailio is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version
 *
 * Kamailio is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include "../../core/sr_module.h"
#include "../../core/dprint.h"
#include "../../core/mem/mem.h"
#include "../../core/parser/digest/digest.h"
#include "../../core/parser/parse_from.h"
#include "../../core/parser/parse_to.h"
#include "../../core/parser/parse_uri.h"
#include "../../core/data_lump.h"
#include "../../core/data_lump_rpl.h"
#include "../../core/error.h"
#include "../../core/ut.h"
#include "../../core/pvapi.h"
#include "../../core/lvalue.h"
#include "../../core/mod_fix.h"
#include "../../core/kemi.h"
#include "../../core/rand/kam_rand.h"
#include "../../modules/sl/sl.h"
#include "auth_mod.h"
#include "challenge.h"
#include "api.h"
#include "nid.h"
#include "nc.h"
#include "ot_nonce.h"
#include "rfc2617.h"
#include "rfc2617_sha256.h"

MODULE_VERSION

#define RAND_SECRET_LEN 32


/*
 * Module destroy function prototype
 */
static void destroy(void);

/*
 * Module initialization function prototype
 */
static int mod_init(void);

/*
 * Remove used credentials from a SIP message header
 */
int w_consume_credentials(struct sip_msg *msg, char *s1, char *s2);

/*
 * Check for credentials with given realm
 */
int w_has_credentials(struct sip_msg *msg, char *s1, char *s2);

/*
 * Set authentication algorithm
 */
int w_auth_algorithm(struct sip_msg *msg, char *alg, char *s2);

static int pv_proxy_authenticate(
		struct sip_msg *msg, char *realm, char *passwd, char *flags);
static int pv_www_authenticate(
		struct sip_msg *msg, char *realm, char *passwd, char *flags);
static int pv_www_authenticate2(struct sip_msg *msg, char *realm, char *passwd,
		char *flags, char *method);
static int fixup_pv_auth(void **param, int param_no);
static int w_pv_auth_check(
		sip_msg_t *msg, char *realm, char *passwd, char *flags, char *checks);
static int fixup_pv_auth_check(void **param, int param_no);

static int proxy_challenge(struct sip_msg *msg, char *realm, char *flags);
static int www_challenge(struct sip_msg *msg, char *realm, char *flags);
static int w_auth_challenge(struct sip_msg *msg, char *realm, char *flags);
static int fixup_auth_challenge(void **param, int param_no);

static int w_auth_get_www_authenticate(
		sip_msg_t *msg, char *realm, char *flags, char *dst);
static int fixup_auth_get_www_authenticate(void **param, int param_no);

/*
 * Module parameter variables
 */
char *sec_param =
		0; /* If the parameter was not used, the secret phrase will be auto-generated */
int nonce_expire = 300; /* Nonce lifetime */
/*int   auth_extra_checks = 0;  -- in nonce.c */
int protect_contacts = 0;	   /* Do not include contacts in nonce by default */
int force_stateless_reply = 0; /* Always send reply statelessly */

/*! Prefix to strip from realm */
str auth_realm_prefix = {"", 0};

static int auth_use_domain = 0;

str secret1;
str secret2;
char *sec_rand1 = 0;
char *sec_rand2 = 0;

str challenge_attr = STR_STATIC_INIT("$digest_challenge");
avp_ident_t challenge_avpid;

str proxy_challenge_header = STR_STATIC_INIT("Proxy-Authenticate");
str www_challenge_header = STR_STATIC_INIT("WWW-Authenticate");

struct qp auth_qop = {STR_STATIC_INIT("auth"), QOP_AUTH};

static struct qp auth_qauth = {STR_STATIC_INIT("auth"), QOP_AUTH};

static struct qp auth_qauthint = {STR_STATIC_INIT("auth-int"), QOP_AUTHINT};

/* Hash algorithm used for digest authentication, MD5 if empty */
str auth_algorithm = {"", 0};

#define AUTH_ALG_MD5_IDX 0
#define AUTH_ALG_SHA256_IDX 1
/* clang-format off */
static str auth_algorithm_list[] = {
	{"MD5", 3},
	{"SHA-256", 7},
	{NULL, 0}
};
/* clang-format on */

int hash_hex_len;
int add_authinfo_hdr =
		0; /* should an Authentication-Info header be added on 200 OK responses? */

calc_HA1_t calc_HA1;
calc_response_t calc_response;


/*! SL API structure */
sl_api_t _auth_slb;

/* clang-format off */
/*
 * Exported functions
 */
static cmd_export_t cmds[] = {
	{"consume_credentials", w_consume_credentials, 0, 0, 0, REQUEST_ROUTE},
	{"www_challenge", (cmd_function)www_challenge, 2, fixup_auth_challenge,
			0, REQUEST_ROUTE | FAILURE_ROUTE | ONREPLY_ROUTE},
	{"proxy_challenge", (cmd_function)proxy_challenge, 2,
			fixup_auth_challenge, 0,
			REQUEST_ROUTE | FAILURE_ROUTE | ONREPLY_ROUTE},
	{"auth_challenge", (cmd_function)w_auth_challenge, 2,
			fixup_auth_challenge, 0,
			REQUEST_ROUTE | FAILURE_ROUTE | ONREPLY_ROUTE},
	{"pv_www_authorize", (cmd_function)pv_www_authenticate, 3,
			fixup_pv_auth, 0, REQUEST_ROUTE},
	{"pv_www_authenticate", (cmd_function)pv_www_authenticate, 3,
			fixup_pv_auth, 0, REQUEST_ROUTE},
	{"pv_www_authenticate", (cmd_function)pv_www_authenticate2, 4,
			fixup_pv_auth, 0, REQUEST_ROUTE},
	{"pv_proxy_authorize", (cmd_function)pv_proxy_authenticate, 3,
			fixup_pv_auth, 0, REQUEST_ROUTE},
	{"pv_proxy_authenticate", (cmd_function)pv_proxy_authenticate, 3,
			fixup_pv_auth, 0, REQUEST_ROUTE},
	{"auth_get_www_authenticate", (cmd_function)w_auth_get_www_authenticate,
			3, fixup_auth_get_www_authenticate, 0, REQUEST_ROUTE},
	{"has_credentials", w_has_credentials, 1, fixup_spve_null, 0,
			REQUEST_ROUTE},
	{"pv_auth_check", (cmd_function)w_pv_auth_check, 4, fixup_pv_auth_check,
			0, REQUEST_ROUTE},
	{"auth_algorithm", w_auth_algorithm, 1, fixup_spve_null, 0,
			REQUEST_ROUTE},
	{"bind_auth_s", (cmd_function)bind_auth_s, 0, 0, 0},

	{0, 0, 0, 0, 0, 0}
};


/*
 * Exported parameters
 */
static param_export_t params[] = {
	{"secret", PARAM_STRING, &sec_param},
	{"nonce_expire", PARAM_INT, &nonce_expire},
	{"nonce_auth_max_drift", PARAM_INT, &nonce_auth_max_drift},
	{"protect_contacts", PARAM_INT, &protect_contacts},
	{"challenge_attr", PARAM_STR, &challenge_attr},
	{"proxy_challenge_header", PARAM_STR, &proxy_challenge_header},
	{"www_challenge_header", PARAM_STR, &www_challenge_header},
	{"qop", PARAM_STR, &auth_qop.qop_str},
	{"auth_checks_register", PARAM_INT, &auth_checks_reg},
	{"auth_checks_no_dlg", PARAM_INT, &auth_checks_ood},
	{"auth_checks_in_dlg", PARAM_INT, &auth_checks_ind},
	{"nonce_count", PARAM_INT, &nc_enabled},
	{"nc_array_size", PARAM_INT, &nc_array_size},
	{"nc_array_order", PARAM_INT, &nc_array_k},
	{"one_time_nonce", PARAM_INT, &otn_enabled},
	{"otn_in_flight_no", PARAM_INT, &otn_in_flight_no},
	{"otn_in_flight_order", PARAM_INT, &otn_in_flight_k},
	{"nid_pool_no", PARAM_INT, &nid_pool_no},
	{"force_stateless_reply", PARAM_INT, &force_stateless_reply},
	{"realm_prefix", PARAM_STRING, &auth_realm_prefix.s},
	{"use_domain", PARAM_INT, &auth_use_domain},
	{"algorithm", PARAM_STR, &auth_algorithm},
	{"add_authinfo_hdr", PARAM_INT, &add_authinfo_hdr},

	{0, 0, 0}
};


/*
 * Module interface
 */
struct module_exports exports = {
	"auth",
	DEFAULT_DLFLAGS,		/* dlopen flags */
	cmds,
	params,
	0,						/* RPC methods */
	0,						/* pseudo-variables exports */
	0,						/* response function */
	mod_init,				/* module initialization function */
	0,						/* child initialization function */
	destroy					/* destroy function */
};
/* clang-format on */


/*
 * Secret parameter was not used so we generate
 * a random value here
 */
static inline int generate_random_secret(void)
{
	int i;

	sec_rand1 = (char *)pkg_malloc(RAND_SECRET_LEN);
	sec_rand2 = (char *)pkg_malloc(RAND_SECRET_LEN);
	if(!sec_rand1 || !sec_rand2) {
		LM_ERR("No memory left\n");
		if(sec_rand1) {
			pkg_free(sec_rand1);
			sec_rand1 = 0;
		}
		return -1;
	}

	for(i = 0; i < RAND_SECRET_LEN; i++) {
		sec_rand1[i] = 32 + (int)(95.0 * kam_rand() / (KAM_RAND_MAX + 1.0));
	}

	secret1.s = sec_rand1;
	secret1.len = RAND_SECRET_LEN;

	for(i = 0; i < RAND_SECRET_LEN; i++) {
		sec_rand2[i] = 32 + (int)(95.0 * kam_rand() / (KAM_RAND_MAX + 1.0));
	}

	secret2.s = sec_rand2;
	secret2.len = RAND_SECRET_LEN;

	return 0;
}


static int mod_init(void)
{
	str attr;

	DBG("auth module - initializing\n");

	auth_realm_prefix.len = strlen(auth_realm_prefix.s);

	/* bind the SL API */
	if(sl_load_api(&_auth_slb) != 0) {
		LM_ERR("cannot bind to SL API\n");
		return -1;
	}

	/* If the parameter was not used */
	if(sec_param == 0) {
		/* Generate secret using random generator */
		if(generate_random_secret() < 0) {
			LM_ERR("Error while generating random secret\n");
			return -3;
		}
	} else {
		/* Otherwise use the parameter's value */
		secret1.s = sec_param;
		secret1.len = strlen(secret1.s);

		if(auth_checks_reg || auth_checks_ind || auth_checks_ood) {
			/* divide the secret in half: one half for secret1 and one half for
			 *  secret2 */
			secret2.len = secret1.len / 2;
			secret1.len -= secret2.len;
			secret2.s = secret1.s + secret1.len;
			if(secret2.len < 16) {
				LM_WARN("consider a longer secret when extra auth checks are"
						" enabled (the config secret is divided in 2!)\n");
			}
		}
	}

	if((!challenge_attr.s || challenge_attr.len == 0)
			|| challenge_attr.s[0] != '$') {
		LM_ERR("Invalid value of challenge_attr module parameter\n");
		return -1;
	}

	attr.s = challenge_attr.s + 1;
	attr.len = challenge_attr.len - 1;

	if(parse_avp_ident(&attr, &challenge_avpid) < 0) {
		LM_ERR("Error while parsing value of challenge_attr module"
			   " parameter\n");
		return -1;
	}

	parse_qop(&auth_qop);
	switch(auth_qop.qop_parsed) {
		case QOP_OTHER:
			LM_ERR("Unsupported qop parameter value\n");
			return -1;
		case QOP_AUTH:
		case QOP_AUTHINT:
			if(nc_enabled) {
#ifndef USE_NC
				LM_WARN("nounce count support enabled from config, but"
						" disabled at compile time (recompile with "
						"-DUSE_NC)\n");
				nc_enabled = 0;
#else
				if(nid_crt == 0)
					init_nonce_id();
				if(init_nonce_count() != 0)
					return -1;
#endif
			}
#ifdef USE_NC
			else {
				LM_INFO("qop set, but nonce-count (nonce_count) support"
						" disabled\n");
			}
#endif
			break;
		default:
			if(nc_enabled) {
				LM_WARN("nonce-count support enabled, but qop not set\n");
				nc_enabled = 0;
			}
			break;
	}
	if(otn_enabled) {
#ifdef USE_OT_NONCE
		if(nid_crt == 0)
			init_nonce_id();
		if(init_ot_nonce() != 0)
			return -1;
#else
		LM_WARN("one-time-nonce support enabled from config, but "
				"disabled at compile time (recompile with -DUSE_OT_NONCE)\n");
		otn_enabled = 0;
#endif /* USE_OT_NONCE */
	}

	if(auth_algorithm.len == 0 || strcmp(auth_algorithm.s, "MD5") == 0) {
		auth_algorithm = auth_algorithm_list[AUTH_ALG_MD5_IDX];
		hash_hex_len = HASHHEXLEN;
		calc_HA1 = calc_HA1_md5;
		calc_response = calc_response_md5;
	} else if(strcmp(auth_algorithm.s, "SHA-256") == 0) {
		auth_algorithm = auth_algorithm_list[AUTH_ALG_SHA256_IDX];
		hash_hex_len = HASHHEXLEN_SHA256;
		calc_HA1 = calc_HA1_sha256;
		calc_response = calc_response_sha256;
	} else {
		LM_ERR("Invalid algorithm provided."
			   " Possible values are \"\", \"MD5\" or \"SHA-256\"\n");
		return -1;
	}

	return 0;
}


static void destroy(void)
{
	if(sec_rand1)
		pkg_free(sec_rand1);
	if(sec_rand2)
		pkg_free(sec_rand2);
#ifdef USE_NC
	destroy_nonce_count();
#endif
#ifdef USE_OT_NONCE
	destroy_ot_nonce();
#endif
#if defined USE_NC || defined USE_OT_NONCE
	destroy_nonce_id();
#endif
}


/*
 * Remove used credentials from a SIP message header
 */
int consume_credentials(struct sip_msg *msg)
{
	struct hdr_field *h;
	int len;

	/* skip requests that can't be authenticated */
	if(msg->REQ_METHOD & (METHOD_ACK | METHOD_CANCEL | METHOD_PRACK))
		return -1;
	get_authorized_cred(msg->authorization, &h);
	if(!h) {
		get_authorized_cred(msg->proxy_auth, &h);
		if(!h) {
			LM_ERR("No authorized credentials found (error in scripts)\n");
			return -1;
		}
	}

	len = h->len;

	if(del_lump(msg, h->name.s - msg->buf, len, 0) == 0) {
		LM_ERR("Can't remove credentials\n");
		return -1;
	}

	return 1;
}

/**
 *
 */
int w_consume_credentials(struct sip_msg *msg, char *s1, char *s2)
{
	return consume_credentials(msg);
}

/**
 *
 */
int ki_has_credentials(sip_msg_t *msg, str *srealm)
{
	hdr_field_t *hdr = NULL;
	int ret;

	ret = find_credentials(msg, srealm, HDR_PROXYAUTH_T, &hdr);
	if(ret == 0) {
		LM_DBG("found proxy credentials with realm [%.*s]\n", srealm->len,
				srealm->s);
		return 1;
	}
	ret = find_credentials(msg, srealm, HDR_AUTHORIZATION_T, &hdr);
	if(ret == 0) {
		LM_DBG("found www credentials with realm [%.*s]\n", srealm->len,
				srealm->s);
		return 1;
	}

	LM_DBG("no credentials with realm [%.*s]\n", srealm->len, srealm->s);
	return -1;
}

/**
 *
 */
int w_has_credentials(sip_msg_t *msg, char *realm, char *s2)
{
	str srealm = {0, 0};

	if(fixup_get_svalue(msg, (gparam_t *)realm, &srealm) < 0) {
		LM_ERR("failed to get realm value\n");
		return -1;
	}
	return ki_has_credentials(msg, &srealm);
}

/**
 *
 */
static int ki_auth_algorithm(sip_msg_t *msg, str *alg)
{
	auth_algorithm = *alg;

	if(strcmp(auth_algorithm.s, "MD5") == 0) {
		auth_algorithm = auth_algorithm_list[AUTH_ALG_MD5_IDX];
		hash_hex_len = HASHHEXLEN;
		calc_HA1 = calc_HA1_md5;
		calc_response = calc_response_md5;
	} else if(strcmp(auth_algorithm.s, "SHA-256") == 0) {
		auth_algorithm = auth_algorithm_list[AUTH_ALG_SHA256_IDX];
		hash_hex_len = HASHHEXLEN_SHA256;
		calc_HA1 = calc_HA1_sha256;
		calc_response = calc_response_sha256;
	} else {
		LM_ERR("Invalid algorithm provided."
			   " Possible values are \"\", \"MD5\" or \"SHA-256\"\n");
		return -1;
	}

	return 1;
}

/**
 *
 */
int w_auth_algorithm(sip_msg_t *msg, char *alg, char *s2)
{
	str salg = str_init("");

	if(fixup_get_svalue(msg, (gparam_t *)alg, &salg) < 0) {
		LM_ERR("failed to get algorithm value\n");
		return -1;
	}

	return ki_auth_algorithm(msg, &salg);
}

#ifdef USE_NC
/**
 * Calls auth_check_hdr_md5 with the update_nonce flag set to false.
 * Used when flag 32 is set in pv_authenticate.
 */
static int auth_check_hdr_md5_noupdate(
		struct sip_msg *msg, auth_body_t *auth, auth_result_t *auth_res)
{
	return auth_check_hdr_md5(msg, auth, auth_res, 0);
}
#endif

/**
 * @brief do WWW-Digest authentication with password taken from cfg var
 */
int pv_authenticate(struct sip_msg *msg, str *realm, str *passwd, int flags,
		int hftype, str *method)
{
	struct hdr_field *h;
	auth_body_t *cred;
	auth_cfg_result_t ret;
	auth_result_t rauth;
	str hf = {0, 0};
	avp_value_t val;
	static char ha1[256];
	struct qp *qop = NULL;
	check_auth_hdr_t check_auth_hdr = NULL;

	cred = 0;
	ret = AUTH_ERROR;

#ifdef USE_NC
	if(nc_enabled && (flags & 32))
		check_auth_hdr = auth_check_hdr_md5_noupdate;
#endif

	switch(pre_auth(msg, realm, hftype, &h, check_auth_hdr)) {
		case NONCE_REUSED:
			LM_DBG("nonce reused");
			ret = AUTH_NONCE_REUSED;
			goto end;
		case STALE_NONCE:
			LM_DBG("stale nonce\n");
			ret = AUTH_STALE_NONCE;
			goto end;
		case NO_CREDENTIALS:
			LM_DBG("no credentials\n");
			ret = AUTH_NO_CREDENTIALS;
			goto end;
		case ERROR:
		case BAD_CREDENTIALS:
			LM_DBG("error or bad credentials\n");
			ret = AUTH_ERROR;
			goto end;
		case CREATE_CHALLENGE:
			LM_ERR("CREATE_CHALLENGE is not a valid state\n");
			ret = AUTH_ERROR;
			goto end;
		case DO_RESYNCHRONIZATION:
			LM_ERR("DO_RESYNCHRONIZATION is not a valid state\n");
			ret = AUTH_ERROR;
			goto end;
		case NOT_AUTHENTICATED:
			LM_DBG("not authenticated\n");
			ret = AUTH_ERROR;
			goto end;
		case DO_AUTHENTICATION:
			break;
		case AUTHENTICATED:
			ret = AUTH_OK;
			goto end;
	}

	cred = (auth_body_t *)h->parsed;

	/* compute HA1 if needed */
	if((flags & 1) == 0) {
		/* Plaintext password is stored in PV, calculate HA1 */
		calc_HA1(
				HA_MD5, &cred->digest.username.whole, realm, passwd, 0, 0, ha1);
		LM_DBG("HA1 string calculated: %s\n", ha1);
	} else {
		memcpy(ha1, passwd->s, passwd->len);
		ha1[passwd->len] = '\0';
	}

	/* Recalculate response, it must be same to authorize successfully */
	rauth = auth_check_response(&(cred->digest), method, ha1);
	if(rauth == AUTHENTICATED) {
		ret = AUTH_OK;
		switch(post_auth(msg, h, ha1)) {
			case AUTHENTICATED:
				break;
			default:
				ret = AUTH_ERROR;
				break;
		}
	} else {
		if(rauth == NOT_AUTHENTICATED)
			ret = AUTH_INVALID_PASSWORD;
		else
			ret = AUTH_ERROR;
	}

#ifdef USE_NC
	/* On success we need to update the nonce if flag 32 is set */
	if(nc_enabled && ret == AUTH_OK && (flags & 32)) {
		if(check_nonce(cred, &secret1, &secret2, msg, 1) < 0) {
			LM_ERR("check_nonce failed after post_auth");
			ret = AUTH_ERROR;
		}
	}
#endif

end:
	if(ret < 0) {
		/* check if required to add challenge header as avp */
		if(!(flags & 14))
			return ret;
		if(flags & 8) {
			qop = &auth_qauthint;
		} else if(flags & 4) {
			qop = &auth_qauth;
		}
		if(get_challenge_hf(msg, (cred ? cred->stale : 0), realm, NULL,
				   (auth_algorithm.len ? &auth_algorithm : NULL), qop, hftype,
				   &hf)
				< 0) {
			LM_ERR("Error while creating challenge\n");
			ret = AUTH_ERROR;
		} else {
			val.s = hf;
			if(add_avp(challenge_avpid.flags | AVP_VAL_STR,
					   challenge_avpid.name, val)
					< 0) {
				LM_ERR("Error while creating attribute with challenge\n");
				ret = AUTH_ERROR;
			}
			pkg_free(hf.s);
		}
	}

	return ret;
}

/**
 *
 */
static int ki_pv_proxy_authenticate(
		sip_msg_t *msg, str *realm, str *passwd, int flags)
{
	return pv_authenticate(msg, realm, passwd, flags, HDR_PROXYAUTH_T,
			&msg->first_line.u.request.method);
}

/**
 *
 */
static int pv_proxy_authenticate(
		struct sip_msg *msg, char *realm, char *passwd, char *flags)
{
	int vflags = 0;
	str srealm = {0, 0};
	str spasswd = {0, 0};

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_str_fparam(&spasswd, msg, (fparam_t *)passwd) < 0) {
		LM_ERR("failed to get passwd value\n");
		goto error;
	}

	if(spasswd.len == 0) {
		LM_ERR("invalid password value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}
	return pv_authenticate(msg, &srealm, &spasswd, vflags, HDR_PROXYAUTH_T,
			&msg->first_line.u.request.method);

error:
	return AUTH_ERROR;
}

/**
 *
 */
static int ki_pv_www_authenticate(
		sip_msg_t *msg, str *realm, str *passwd, int flags)
{
	return pv_authenticate(msg, realm, passwd, flags, HDR_AUTHORIZATION_T,
			&msg->first_line.u.request.method);
}

/**
 *
 */
static int ki_pv_www_authenticate_method(
		sip_msg_t *msg, str *realm, str *passwd, int flags, str *method)
{
	return pv_authenticate(
			msg, realm, passwd, flags, HDR_AUTHORIZATION_T, method);
}

/**
 *
 */
static int pv_www_authenticate(
		struct sip_msg *msg, char *realm, char *passwd, char *flags)
{
	int vflags = 0;
	str srealm = {0, 0};
	str spasswd = {0, 0};

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_str_fparam(&spasswd, msg, (fparam_t *)passwd) < 0) {
		LM_ERR("failed to get passwd value\n");
		goto error;
	}

	if(spasswd.len == 0) {
		LM_ERR("invalid password value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}
	return pv_authenticate(msg, &srealm, &spasswd, vflags, HDR_AUTHORIZATION_T,
			&msg->first_line.u.request.method);

error:
	return AUTH_ERROR;
}

static int pv_www_authenticate2(struct sip_msg *msg, char *realm, char *passwd,
		char *flags, char *method)
{
	int vflags = 0;
	str srealm = {0, 0};
	str spasswd = {0, 0};
	str smethod = {0, 0};

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_str_fparam(&spasswd, msg, (fparam_t *)passwd) < 0) {
		LM_ERR("failed to get passwd value\n");
		goto error;
	}

	if(spasswd.len == 0) {
		LM_ERR("invalid password value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}

	if(get_str_fparam(&smethod, msg, (fparam_t *)method) < 0) {
		LM_ERR("failed to get method value from msg %p var %p\n", msg, method);
		goto error;
	}

	if(smethod.len == 0) {
		LM_ERR("invalid method value - empty content\n");
		goto error;
	}

	return pv_authenticate(
			msg, &srealm, &spasswd, vflags, HDR_AUTHORIZATION_T, &smethod);

error:
	return AUTH_ERROR;
}

/**
 *
 */
static int pv_auth_check(
		sip_msg_t *msg, str *srealm, str *spasswd, int vflags, int vchecks)
{
	int ret;
	hdr_field_t *hdr;
	sip_uri_t *uri = NULL;
	sip_uri_t *turi = NULL;
	sip_uri_t *furi = NULL;
	str suser;

	if(msg->REQ_METHOD == METHOD_REGISTER)
		ret = pv_authenticate(msg, srealm, spasswd, vflags, HDR_AUTHORIZATION_T,
				&msg->first_line.u.request.method);
	else
		ret = pv_authenticate(msg, srealm, spasswd, vflags, HDR_PROXYAUTH_T,
				&msg->first_line.u.request.method);

	if(ret == AUTH_OK && (vchecks & AUTH_CHECK_ID_F)) {
		hdr = (msg->proxy_auth == 0) ? msg->authorization : msg->proxy_auth;
		if(hdr == NULL) {
			if(msg->REQ_METHOD & (METHOD_ACK | METHOD_CANCEL | METHOD_PRACK)) {
				return AUTH_OK;
			} else {
				return AUTH_ERROR;
			}
		}
		suser = ((auth_body_t *)(hdr->parsed))->digest.username.user;

		if((furi = parse_from_uri(msg)) == NULL)
			return AUTH_ERROR;

		if(msg->REQ_METHOD == METHOD_REGISTER
				|| msg->REQ_METHOD == METHOD_PUBLISH) {
			if((turi = parse_to_uri(msg)) == NULL)
				return AUTH_ERROR;
			uri = turi;
		} else {
			uri = furi;
		}
		if(suser.len != uri->user.len
				|| strncmp(suser.s, uri->user.s, suser.len) != 0)
			return AUTH_USER_MISMATCH;

		if(msg->REQ_METHOD == METHOD_REGISTER
				|| msg->REQ_METHOD == METHOD_PUBLISH) {
			/* check from==to */
			if(furi->user.len != turi->user.len
					|| strncmp(furi->user.s, turi->user.s, furi->user.len) != 0)
				return AUTH_USER_MISMATCH;
			if(auth_use_domain != 0
					&& (furi->host.len != turi->host.len
							|| strncmp(furi->host.s, turi->host.s,
									   furi->host.len)
									   != 0))
				return AUTH_USER_MISMATCH;
			/* check r-uri==from for publish */
			if(msg->REQ_METHOD == METHOD_PUBLISH) {
				if(parse_sip_msg_uri(msg) < 0)
					return AUTH_ERROR;
				uri = &msg->parsed_uri;
				if(furi->user.len != uri->user.len
						|| strncmp(furi->user.s, uri->user.s, furi->user.len)
								   != 0)
					return AUTH_USER_MISMATCH;
				if(auth_use_domain != 0
						&& (furi->host.len != uri->host.len
								|| strncmp(furi->host.s, uri->host.s,
										   furi->host.len)
										   != 0))
					return AUTH_USER_MISMATCH;
			}
		}
		return AUTH_OK;
	}

	return ret;
}

/**
 *
 */
static int w_pv_auth_check(
		sip_msg_t *msg, char *realm, char *passwd, char *flags, char *checks)
{
	int vflags = 0;
	int vchecks = 0;
	str srealm = {0, 0};
	str spasswd = {0, 0};


	if(msg == NULL) {
		LM_ERR("invalid msg parameter\n");
		return AUTH_ERROR;
	}

	if((msg->REQ_METHOD == METHOD_ACK) || (msg->REQ_METHOD == METHOD_CANCEL)) {
		return AUTH_OK;
	}

	if(realm == NULL || passwd == NULL || flags == NULL || checks == NULL) {
		LM_ERR("invalid parameters\n");
		return AUTH_ERROR;
	}

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		return AUTH_ERROR;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		return AUTH_ERROR;
	}

	if(get_str_fparam(&spasswd, msg, (fparam_t *)passwd) < 0) {
		LM_ERR("failed to get passwd value\n");
		return AUTH_ERROR;
	}

	if(spasswd.len == 0) {
		LM_ERR("invalid password value - empty content\n");
		return AUTH_ERROR;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		return AUTH_ERROR;
	}

	if(get_int_fparam(&vchecks, msg, (fparam_t *)checks) < 0) {
		LM_ERR("invalid checks value\n");
		return AUTH_ERROR;
	}
	LM_DBG("realm [%.*s] flags [%d] checks [%d]\n", srealm.len, srealm.s,
			vflags, vchecks);
	return pv_auth_check(msg, &srealm, &spasswd, vflags, vchecks);
}


/**
 * @brief fixup function for pv_{www,proxy}_authenticate
 */
static int fixup_pv_auth(void **param, int param_no)
{
	if(strlen((char *)*param) <= 0) {
		LM_ERR("empty parameter %d not allowed\n", param_no);
		return -1;
	}

	switch(param_no) {
		case 1:
		case 2:
		case 4:
			return fixup_var_pve_str_12(param, 1);
		case 3:
			return fixup_var_int_12(param, 1);
	}
	return 0;
}

/**
 * @brief fixup function for pv_{www,proxy}_authenticate
 */
static int fixup_pv_auth_check(void **param, int param_no)
{
	if(strlen((char *)*param) <= 0) {
		LM_ERR("empty parameter %d not allowed\n", param_no);
		return -1;
	}

	switch(param_no) {
		case 1:
		case 2:
			return fixup_var_pve_str_12(param, 1);
		case 3:
		case 4:
			return fixup_var_int_12(param, 1);
	}
	return 0;
}


/**
 *
 */
static int auth_send_reply(
		struct sip_msg *msg, int code, char *reason, char *hdr, int hdr_len)
{
	str reason_str;

	/* Add new headers if there are any */
	if((hdr != NULL) && (hdr_len > 0)) {
		if(add_lump_rpl(msg, hdr, hdr_len, LUMP_RPL_HDR) == 0) {
			LM_ERR("failed to append hdr to reply\n");
			return -1;
		}
	}

	reason_str.s = reason;
	reason_str.len = strlen(reason);

	return force_stateless_reply ? _auth_slb.sreply(msg, code, &reason_str)
								 : _auth_slb.freply(msg, code, &reason_str);
}

/**
 *
 */
int auth_challenge_helper(
		struct sip_msg *msg, str *realm, int flags, int hftype, str *res)
{
	int ret, stale;
	str hf = {0, 0};
	struct qp *qop = NULL;

	ret = -1;

	if(flags & 2) {
		qop = &auth_qauthint;
	} else if(flags & 1) {
		qop = &auth_qauth;
	}
	if(flags & 16) {
		stale = 1;
	} else {
		stale = 0;
	}
	if(get_challenge_hf(msg, stale, realm, NULL,
			   (auth_algorithm.len ? &auth_algorithm : NULL), qop, hftype, &hf)
			< 0) {
		LM_ERR("Error while creating challenge\n");
		ret = -2;
		goto error;
	}

	ret = 1;
	if(res != NULL) {
		*res = hf;
		return ret;
	}
	switch(hftype) {
		case HDR_AUTHORIZATION_T:
			if(auth_send_reply(msg, 401, "Unauthorized", hf.s, hf.len) < 0)
				ret = -3;
			break;
		case HDR_PROXYAUTH_T:
			if(auth_send_reply(
					   msg, 407, "Proxy Authentication Required", hf.s, hf.len)
					< 0)
				ret = -3;
			break;
	}
	if(hf.s)
		pkg_free(hf.s);
	return ret;

error:
	if(hf.s)
		pkg_free(hf.s);
	if(!(flags & 4)) {
		if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) < 0)
			ret = -4;
	}
	return ret;
}

/**
 *
 */
int auth_challenge_hftype(
		struct sip_msg *msg, str *realm, int flags, int hftype)
{
	return auth_challenge_helper(msg, realm, flags, hftype, NULL);
}

/**
 *
 */
int auth_challenge(sip_msg_t *msg, str *realm, int flags)
{
	int htype;

	if(msg == NULL)
		return -1;

	if(msg->REQ_METHOD == METHOD_REGISTER)
		htype = HDR_AUTHORIZATION_T;
	else
		htype = HDR_PROXYAUTH_T;

	return auth_challenge_helper(msg, realm, flags, htype, NULL);
}

/**
 *
 */
static int proxy_challenge(struct sip_msg *msg, char *realm, char *flags)
{
	int vflags = 0;
	str srealm = {0, 0};

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}

	return auth_challenge_hftype(msg, &srealm, vflags, HDR_PROXYAUTH_T);

error:
	if(!(vflags & 4)) {
		if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) < 0)
			return -4;
	}
	return -1;
}

/**
 *
 */
static int www_challenge(struct sip_msg *msg, char *realm, char *flags)
{
	int vflags = 0;
	str srealm = {0, 0};

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}

	return auth_challenge_hftype(msg, &srealm, vflags, HDR_AUTHORIZATION_T);

error:
	if(!(vflags & 4)) {
		if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) < 0)
			return -4;
	}
	return -1;
}

/**
 *
 */
static int ki_www_challenge(struct sip_msg *msg, str *realm, int flags)
{
	return auth_challenge_hftype(msg, realm, flags, HDR_AUTHORIZATION_T);
}

/**
 *
 */
static int ki_proxy_challenge(struct sip_msg *msg, str *realm, int flags)
{
	return auth_challenge_hftype(msg, realm, flags, HDR_PROXYAUTH_T);
}

/**
 *
 */
static int w_auth_challenge(struct sip_msg *msg, char *realm, char *flags)
{
	int vflags = 0;
	str srealm = {0, 0};

	if((msg->REQ_METHOD == METHOD_ACK) || (msg->REQ_METHOD == METHOD_CANCEL)) {
		return 1;
	}

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}

	if(msg->REQ_METHOD == METHOD_REGISTER)
		return auth_challenge_hftype(msg, &srealm, vflags, HDR_AUTHORIZATION_T);
	else
		return auth_challenge_hftype(msg, &srealm, vflags, HDR_PROXYAUTH_T);

error:
	if(!(vflags & 4)) {
		if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) < 0)
			return -4;
	}
	return -1;
}


/**
 * @brief fixup function for {www,proxy}_challenge
 */
static int fixup_auth_challenge(void **param, int param_no)
{
	if(strlen((char *)*param) <= 0) {
		LM_ERR("empty parameter %d not allowed\n", param_no);
		return -1;
	}

	switch(param_no) {
		case 1:
			return fixup_var_str_12(param, 1);
		case 2:
			return fixup_var_int_12(param, 1);
	}
	return 0;
}


/**
 *
 */
static int w_auth_get_www_authenticate(
		sip_msg_t *msg, char *realm, char *flags, char *dst)
{
	int vflags = 0;
	str srealm = {0};
	str hf = {0};
	pv_spec_t *pv;
	pv_value_t val;
	int ret;

	if(get_str_fparam(&srealm, msg, (fparam_t *)realm) < 0) {
		LM_ERR("failed to get realm value\n");
		goto error;
	}

	if(srealm.len == 0) {
		LM_ERR("invalid realm value - empty content\n");
		goto error;
	}

	if(get_int_fparam(&vflags, msg, (fparam_t *)flags) < 0) {
		LM_ERR("invalid flags value\n");
		goto error;
	}

	pv = (pv_spec_t *)dst;

	ret = auth_challenge_helper(
			NULL, &srealm, vflags, HDR_AUTHORIZATION_T, &hf);

	if(ret < 0)
		return ret;

	val.rs.s = pv_get_buffer();
	val.rs.len = 0;
	if(hf.s != NULL) {
		memcpy(val.rs.s, hf.s, hf.len);
		val.rs.len = hf.len;
		val.rs.s[val.rs.len] = '\0';
		pkg_free(hf.s);
	}
	val.flags = PV_VAL_STR;
	pv->setf(msg, &pv->pvp, (int)EQ_T, &val);

	return ret;

error:
	return -1;
}


static int fixup_auth_get_www_authenticate(void **param, int param_no)
{
	if(strlen((char *)*param) <= 0) {
		LM_ERR("empty parameter %d not allowed\n", param_no);
		return -1;
	}

	switch(param_no) {
		case 1:
			return fixup_var_str_12(param, 1);
		case 2:
			return fixup_var_int_12(param, 1);
		case 3:
			if(fixup_pvar_null(param, 1) != 0) {
				LM_ERR("failed to fixup result pvar\n");
				return -1;
			}
			if(((pv_spec_t *)(*param))->setf == NULL) {
				LM_ERR("result pvar is not writeble\n");
				return -1;
			}
			return 0;
	}
	return 0;
}

/**
 *
 */
static int ki_auth_get_www_authenticate(
		sip_msg_t *msg, str *realm, int flags, str *pvdst)
{
	str hf = {0};
	pv_spec_t *pvs;
	pv_value_t val;
	int ret;

	pvs = pv_cache_get(pvdst);
	if(pvs == NULL) {
		LM_ERR("cannot get pv spec for [%.*s]\n", pvdst->len, pvdst->s);
		return -1;
	}

	ret = auth_challenge_helper(NULL, realm, flags, HDR_AUTHORIZATION_T, &hf);

	if(ret < 0)
		return ret;

	val.rs.s = pv_get_buffer();
	val.rs.len = 0;
	if(hf.s != NULL) {
		memcpy(val.rs.s, hf.s, hf.len);
		val.rs.len = hf.len;
		val.rs.s[val.rs.len] = '\0';
		pkg_free(hf.s);
	}
	val.flags = PV_VAL_STR;
	pvs->setf(msg, &pvs->pvp, (int)EQ_T, &val);

	return (ret == 0) ? 1 : ret;
}

/**
 *
 */
/* clang-format off */
static sr_kemi_t sr_kemi_auth_exports[] = {
	{ str_init("auth"), str_init("consume_credentials"),
		SR_KEMIP_INT, consume_credentials,
		{ SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("auth_challenge"),
		SR_KEMIP_INT, auth_challenge,
		{ SR_KEMIP_STR, SR_KEMIP_INT, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("www_challenge"),
		SR_KEMIP_INT, ki_www_challenge,
		{ SR_KEMIP_STR, SR_KEMIP_INT, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("proxy_challenge"),
		SR_KEMIP_INT, ki_proxy_challenge,
		{ SR_KEMIP_STR, SR_KEMIP_INT, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("pv_auth_check"),
		SR_KEMIP_INT, pv_auth_check,
		{ SR_KEMIP_STR, SR_KEMIP_STR, SR_KEMIP_INT,
			SR_KEMIP_INT, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("pv_proxy_authenticate"),
		SR_KEMIP_INT, ki_pv_proxy_authenticate,
		{ SR_KEMIP_STR, SR_KEMIP_STR, SR_KEMIP_INT,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("pv_www_authenticate"),
		SR_KEMIP_INT, ki_pv_www_authenticate,
		{ SR_KEMIP_STR, SR_KEMIP_STR, SR_KEMIP_INT,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("pv_www_authenticate_method"),
		SR_KEMIP_INT, ki_pv_www_authenticate_method,
		{ SR_KEMIP_STR, SR_KEMIP_STR, SR_KEMIP_INT,
			SR_KEMIP_STR, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("has_credentials"),
		SR_KEMIP_INT, ki_has_credentials,
		{ SR_KEMIP_STR, SR_KEMIP_NONE, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("auth_get_www_authenticate"),
		SR_KEMIP_INT, ki_auth_get_www_authenticate,
		{ SR_KEMIP_STR, SR_KEMIP_INT, SR_KEMIP_STR,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},
	{ str_init("auth"), str_init("auth_algorithm"),
		SR_KEMIP_INT, ki_auth_algorithm,
		{ SR_KEMIP_STR, SR_KEMIP_NONE, SR_KEMIP_NONE,
			SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
	},

	{ {0, 0}, {0, 0}, 0, NULL, { 0, 0, 0, 0, 0, 0 } }
};
/* clang-format on */

/**
 *
 */
int mod_register(char *path, int *dlflags, void *p1, void *p2)
{
	sr_kemi_modules_add(sr_kemi_auth_exports);
	return 0;
}
